Resolution
goal
How do I configure an agent to read a saved event log file?
goal
How do I import saved windows event log (.evt) files?
fact
Security Manager 4.X
fact
Security Manager 3.X
fact
Security Manager 5.X
fix
note
To import .evt files in Security Manager 5.5 or 5.6, you will need to install a manual SM 5.1 agent and perform the above steps on that agent. Please see the Security Manager Installation Guide for more information about installing a manual agent.
How do I configure an agent to read a saved event log file?
goal
How do I import saved windows event log (.evt) files?
fact
Security Manager 4.X
fact
Security Manager 3.X
fact
Security Manager 5.X
fix
NOTE: For SM 5.5 and 5.6, please see the note below before following the below steps.
In order to successfully import .evt files, the agent where the below steps are performed must be the same operating system as the one where the .evt files came from.
To read a saved event (.evt ) log file:
- Click Start | Run and type regedit in the Open field. The Registry Editor Window will be displayed.
- (Security Manager pre 5.1)
Click HKEY_LOCAL_MACHINE | Software | Mission Critical Software | One Point | Configurations | <Your Configuration Name> | Operations | Agent | Event Providers | NT Event Log.
(Security Manager 5.1)
Click HKEY_LOCAL_MACHINE | Software | NetIQ | Security Manager | Configurations | <Your Configuration Name> | Operations | Agent | Event Providers | NT Event Log. - To find the correct key to use in step 4, highlight the GUID key in the left pane. The description value with the name of the event log is displayed in the right pane. For example, if you have saved an NT application log, create the following key:
- (SM pre 5.1) HKEY_LOCAL_MACHINE\Software\Mission Critical Software\OnePoint\Configurations\<Your Configuration Name>\Operations\Agent\Event Providers\NT Event Log\{F6DA1507-12AF-11D3-AB21-00A0C98620CE}\Saved Files
- (SM 5.1) HKEY_LOCAL_MACHINE\Software\NetIQ\Security Manager\Configurations\<Your Configuration Name>\Operations\Agent\Event Providers\NT Event Log\{F6DA1507-12AF-11D3-AB21-00A0C98620CE}\Saved Files
- Right click anywhere in the window, and select New | Key and create a registry key named Saved Files.
- Within the Saved Files key, create a string value named 'path'; the value should be the path to the saved event log. For example, create a string value of C:\Logs\SERVER1.EVT.
- Stop and restart the OnePoint (NetIQ Security Manager for SM 5.1) service on the agent machine. The saved log files will be processed when the agent restarts. After they have been processed, the Saved Files key will be deleted.
note
To import .evt files in Security Manager 5.5 or 5.6, you will need to install a manual SM 5.1 agent and perform the above steps on that agent. Please see the Security Manager Installation Guide for more information about installing a manual agent.
Additional Information
Formerly known as NETIQKB854